Procedures for Out-of-Band and Inline NAC
Table
Network Scenario | Examples | Security Domain Configuration |
|
|
|
Area of the network that is configured to allow access only to specific
•Switches that provide access to only
For the NAC Gateway, reject all RADIUS authentication attempts. For the NAC Controller, set the Accept Policy to a highly restrictive policy or VLAN such as “Deny All.“
This allows the administrator to locally authorize specific MAC addresses or users by using MAC and user overrides, and rejecting all other connection attempts to the network.
Area of the network that provides access to a group of users or devices that pose a guaranteed low risk to the security and stability of the network.
•Switches that provide network access to servers that are highly protected from attack through the implementation of firewalls as well as
•Switches that provide network access to
Authorize connecting
In NAC Manager, create a Security Domain with the following configuration attributes:
•With the “Proxy RADIUS Request to a RADIUS Server” radio button selected, check the “Replace RADIUS Attributes with Accept Policy” option and specify a
This allows the administrator to locally authorize MAC authentication requests and overwrite the policy information returned from the RADIUS server with a less restrictive policy or VLAN.
It should be noted that this configuration may open the network to security threats, and should be reviewed carefully before being implemented.
Area of the network that provides access to a group of users or devices that will be allocated a different set of network resources based on their location on the network.
•Switches that provide access to both trusted and untrusted users on the network, such as conference rooms and cafeterias. These areas can be configured to restrict trusted user access to servers containing sensitive information. This protects against the possibility that an untrusted user obtains access to a trusted user's computer that is logged into the network, or that an untrusted user eavesdrops on sensitive material being viewed by adjacent trusted users.
Impose the level of authorization based on requirements of IT operations.
In NAC Manager, create a Security Domain with the following configuration attributes:
•With the “Proxy RADIUS Request to a RADIUS Server” radio button selected, check the “Replace RADIUS Attributes with Accept Policy” option and specify a policy or VLAN in the Accept Policy field.
This allows the administrator to locally authorize MAC authentication requests and overwrite the policy information returned from the RADIUS server with a different policy based on the network location of an end- system.
Enterasys NAC Design Guide